Adding normalization rules
April 11, 2024
ID 195811
This section explains how to add normalization rules to an event source.
About normalization rules
Normalization rules are used for transforming events. After Kaspersky CyberTrace applies normalization rules to an incoming event, the event is processed using regular expressions.
There are two types of normalization rules:
- Replacing rules
Rules for replacing one character sequence with another.
- Ignoring rules
Rules for ignoring events that contain a character sequence.
If the replacing rules and ignoring rules are set, replacing rules are applied first and ignoring rules are applied second.
In the specified regular expressions, the asterisk (*) and question mark (?) are not treated as wildcard characters.
Adding normalization rules
Adding normalization rules
To add a normalization rule:
- Navigate to the Settings page.
- Open the Matching tab.
- Locate an event source that must use the new normalization rule. Click
to open source properties.The window with the properties of the selected event source opens.
- Locate the Normalization rules tab.
- Select the Apply normalization rules check box.
- If normalization rules are already specified for the event source, add a new entry. Click Add new rule to add extra text boxes for new rule parameters.
- Specify rule parameters:
- For a replacing rule, specify a regular expression in the To replace text box and a replacement in the Replace with text box.
- For an ignoring rule, specify a regular expression in the Ignore events that contain this text box.
- Click the OK button.
